Certified 312-50 preparation exams Reviews & Tips

The article at Testaimer.com going over http://www.testaimer.com/312-50-test is very comprehensive.

Q391. This is an example of whois record. 

Sometimes a company shares a little too much information on their organization through public domain records. Based on the above whois record, what can an attacker do? (Select 2 answers) 

A. Search engines like Google, Bing will expose information listed on the WHOIS record 

B. An attacker can attempt phishing and social engineering on targeted individuals using the information from WHOIS record 

C. Spammers can send unsolicited e-mails to addresses listed in the WHOIS record 

D. IRS Agents will use this information to track individuals using the WHOIS record information 

Answer: BC

Q392. Which of the following represent weak password? (Select 2 answers) 

A. Passwords that contain letters, special characters, and numbers Example: ap1$%##f@52 

B. Passwords that contain only numbers Example: 23698217 

C. Passwords that contain only special characters Example: &*#@!(%) 

D. Passwords that contain letters and numbers Example: meerdfget123 

E. Passwords that contain only letters Example: QWERTYKLRTY 

F. Passwords that contain only special characters and numbers Example: 123@$45 

G. Passwords that contain only letters and special characters Example: bob@&ba 

H. Passwords that contain Uppercase/Lowercase from a dictionary list Example: OrAnGe 

Answer: EH

Q393. Hayden is the network security administrator for her company, a large finance firm based in Miami. Hayden just returned from a security conference in Las Vegas where they talked about all kinds of old and new security threats; many of which she did not know of. Hayden is worried about the current security state of her company's network so she decides to start scanning the network from an external IP address. To see how some of the hosts on her network react, she sends out SYN packets to an IP range. A number of IPs responds with a SYN/ACK response. Before the connection is established she sends RST packets to those hosts to stop the session. She does this to see how her intrusion detection system will log the traffic. What type of scan is Hayden attempting here? 

A. Hayden is attempting to find live hosts on her company's network by using an XMAS scan 

B. She is utilizing a SYN scan to find live hosts that are listening on her network 

C. The type of scan, she is using is called a NULL scan 

D. Hayden is using a half-open scan to find live hosts on her network 

Answer: D

Q394. What is the proper response for a FIN scan if the port is closed? 







Explanation: Closed ports respond to a FIN scan with a RST. 

Q395. In Trojan terminology, what is a covert channel? 

A. A channel that transfers information within a computer system or network in a way that violates the security policy 

B. A legitimate communication path within a computer system or network for transfer of data 

C. It is a kernel operation that hides boot processes and services to mask detection 

D. It is Reverse tunneling technique that uses HTTPS protocol instead of HTTP protocol to establish connections 

Answer: A

Q396. Name two software tools used for OS guessing.(Choose two. 

A. Nmap 

B. Snadboy 

C. Queso 

D. UserInfo 

E. NetBus 

Answer: AC

Explanation: Nmap and Queso are the two best-known OS guessing programs. OS guessing software has the ability to look at peculiarities in the way that each vendor implements the RFC's. These differences are compared with its database of known OS fingerprints. Then a best guess of the OS is provided to the user. 

Q397. During the intelligence gathering phase of a penetration test, you come across a press release by a security products vendor stating that they have signed a multi-million dollar agreement with the company you are targeting. The contract was for vulnerability assessment tools and network based IDS systems. While researching on that particular brand of IDS you notice that its default installation allows it to perform sniffing and attack analysis on one NIC and caters to its management and reporting on another NIC. The sniffing interface is completely unbound from the TCP/IP stack by default. Assuming the defaults were used, how can you detect these sniffing interfaces? 

A. Use a ping flood against the IP of the sniffing NIC and look for latency in the responses. 

B. Send your attack traffic and look for it to be dropped by the IDS. 

C. Set your IP to that of the IDS and look for it as it attempts to knock your computer off the network. 

D. The sniffing interface cannot be detected. 

Answer: D

Explanation: When a Nic is set to Promiscuous mode it just blindly takes whatever comes through to it network interface and sends it to the Application layer. This is why they are so hard to detect. Actually you could use ARP requests and Send them to every pc and the one which responds to all the requests can be identified as a NIC on Promiscuous mode and there are some very special programs that can do this for you. But considering the alternatives in the question the right answer has to be that the interface cannot be detected. 

Q398. Maurine is working as a security consultant for Hinklemeir Associate. She has asked the Systems Administrator to create a group policy that would not allow null sessions on the network. The Systems Administrator is fresh out of college and has never heard of null sessions and does not know what they are used for. Maurine is trying to explain to the Systems Administrator that hackers will try to create a null session when footprinting the network. 

Why would an attacker try to create a null session with a computer on a network? 

A. Enumerate users shares 

B. Install a backdoor for later attacks 

C. Escalate his/her privileges on the target server 

D. To create a user with administrative privileges for later use 

Answer: A

Explanation: The Null Session is often referred to as the "Holy Grail" of Windows hacking. Listed as the number 5 windows vulnerability on the SANS/FBI Top 20 list, Null Sessions take advantage of flaws in the CIFS/SMB (Common Internet File System/Server Messaging Block) architecture. You can establish a Null Session with a Windows (NT/2000/XP) host by logging on with a null user name and password. Using these null connections allows you to gather the following information from the host: 

-List of users and groups 

-List of machines 

-List of shares 

-Users and host SID' (Security Identifiers) 

Topic 5, System Hacking 

177. If a token and 4-digit personal identification number (PIN) are used to access a computer system and the token performs off-line checking for the correct PIN, what type of attack is possible? 

A. Birthday 

B. Brute force 

C. Man-in-the-middle 

D. Smurf 

Answer: B

Explanation: Brute force attacks are performed with tools that cycle through many possible character, number, and symbol combinations to guess a password. Since the token allows offline checking of PIN, the cracker can keep trying PINS until it is cracked. 

Q399. The United Kingdom (UK) he passed a law that makes hacking into an unauthorized network a felony. 

The law states: 

Section1 of the Act refers to unauthorized access to computer material. This states that a person commits an offence if he causes a computer to perform any function with intent to secure unauthorized access to any program or data held in any computer. For a successful conviction under this part of the Act, the prosecution must prove that the access secured is unauthorized and that the suspect knew that this was the case. This section is designed to deal with common-or-graden hacking. 

Section 2 of the deals with unauthorized access with intent to commit or facilitate the commission of further offences. An offence is committed under Section 2 if a Section 1 offence has been committed and there is the intention of committing or facilitating a further offense (any offence which attacks a custodial sentence of more than five years, not necessarily one covered but the Act). Even if it is not possible to prove the intent to commit the further offence, the Section 1 offence is still committed. 

Section 3 Offences cover unauthorized modification of computer material, which generally means the creation and distribution of viruses. For conviction to succeed there must have been the intent to cause the modifications and knowledge that the modification had not been authorized 

What is the law called? 

A. Computer Misuse Act 1990 

B. Computer incident Act 2000 

C. Cyber Crime Law Act 2003 

D. Cyber Space Crime Act 1995 


Explanation: Computer Misuse Act (1990) creates three criminal offences: 

Q400. Michael is a junior security analyst working for the National Security Agency (NSA) working primarily on breaking terrorist encrypted messages. The NSA has a number of methods they use to decipher encrypted messages including Government Access to Keys (GAK) and inside informants. The NSA holds secret backdoor keys to many of the encryption algorithms used on the Internet. The problem for the NSA, and Michael, is that terrorist organizations are starting to use custom-built algorithms or obscure algorithms purchased from corrupt governments. For this reason, Michael and other security analysts like him have been forced to find different methods of deciphering terrorist messages. One method that Michael thought of using was to hide malicious code inside seemingly harmless programs. Michael first monitors sites and bulletin boards used by known terrorists, and then he is able to glean email addresses to some of these suspected terrorists. Michael then inserts a stealth keylogger into a mapping program file readme.txt and then sends that as an attachment to the terrorist. This keylogger takes screenshots every 2 minutes and also logs all keyboard activity into a hidden file on the terrorist's computer. Then, the keylogger emails those files to Michael twice a day with a built in SMTP server. What technique has Michael used to disguise this keylogging software? 

A. Steganography 

B. Wrapping 


D. Hidden Channels 

Answer: A